A significant consideration in interaction between computing entities is trust—whether a foreign computing entity will behave in a reliable and predictable manner, or will be (or already is) subject to subversion. Trusted systems which contain a component at least logically protected from subversion have been developed by the companies forming the Trusted Computing Group (TCG). The TCG develops specifications in this area, for example the “TCG TPM Specification” Version 1.2, which is published on the TCG website. The implicitly trusted components of a trusted system enable measurements of a trusted system and are then able to provide these in the form of integrity metrics to appropriate entities wishing to interact with the trusted system. The receiving entities are then able to determine from the consistency of the measured integrity metrics with known or expected values that the trusted system is operating as expected.
Integrity metrics will typically include measurements of the software used by the trusted system. These measurements may, typically in combination, be used to indicate states, or trusted states, of the trusted system. Measurements will typically be recorded in the form of “digests”—results of hashing the measured data using a hashing algorithm to produce a fixed-size result. Such digests may be combined into a “platform configuration register” (PCR) of a trusted component—a trusted component will generally have a plurality of PCRs dedicated to specific purposes. In Trusted Computing Group specifications, mechanisms are also taught for “sealing” data to a particular platform state—this has the result of encrypting the sealed data into an inscrutable “opaque blob”, which is typically stored outside of the trusted component in normal memory, containing a value derived at least in part from measurements of software on the platform. The measurements as indicated comprise digests of the software, because digest values will change on any modification to the software. This sealed data may only be recovered if the trusted component measures the current platform state and finds it to be represented by the same value as in the opaque blob.
It will be appreciated that the integrity of recorded data may be dependent on the mechanisms used to protect that data. One such mechanism is the hashing algorithm used to produce digests. Security algorithms, such as hashing algorithms, typically become less effective over time, as heavy use and study generally reveals security vulnerabilities. It would be desirable to find a way to maintain data integrity in trusted systems over time.